New Java Exploit Already Attacking Web Browsers

Below:

Next story in Tech and gadgets

Just in time for the new year, there's a new Java zero-day
exploit out in the wild.

It's already being used by criminals to attack your Web browser,
and the only defense is to disable Java for browsers altogether.

"Java 0 day Spotted and massively exploited in the Wild! Disable
Java plugin now (or remove it)," tweeted the French security researcher who
calls himself Kafeine earlier today (Jan. 10).

Kafeine linked to technical details on his blog, and researchers
at AlienVault, a digital-security provider in San Mateo, Calif.,
quickly confirmed what he'd found.

Translating the Russian-language screenshots from hacker forums
that Kafeine had posted, American security blogger Brian Krebs noticed that "Paunch," the
leader of the group behind the Blackhole and Cool browser
exploit kits, had announced the new exploit to his clients as
a "New Year's gift."

It's possible that the Java zero-day is a product of Paunch's new
$100,000
bug-bounty program, in which the criminal's gang pays
independent researchers for new exploits.

Kafeine noted that the Nuclear Pack and Redkit exploit kits had
also incorporated the exploit.

Browser exploit kits are one-size-fits-all bundles of malware
that
attack Web browsers with one exploit after another until
something gets through and infects the target system. Exploit
kits are inserted into Web pages, often without the knowledge of
site administrators, by criminal gangs bent on profit.

As with most zero days, this exploit is so new that most
anti-virus software won't be able to protect against it.

The programming language Java was developed in the mid-1990s to
run on "virtual machines" that could be embedded in any computer
platform, and hence let software developers save time by building
applications only once.

It was quickly adapted by Web developers who wanted to create
small browser-based applications that could run on both Macs and
PCs (not to mention Linux and Unix).

But Java's virtual machine for desktops and laptops has been
plagued by security problems, with a seemingly endless number of
vulnerabilities and exploits in the past few years.